As AI transforms biopharmaceutical and medical device manufacturing, regulatory bodies are establishing clear guardrails. EU GMP Annex 22 represents the most significant development in AI regulation for our industry to date. Merit Solutions CEO Bill Burke breaks down the critical requirements, validation expectations, and preparation steps manufacturers should take now. This article was originally shared on LinkedIn and is republished here for our community.
EU GMP Annex 22: The New AI Regulatory Standard for Biopharma and Medical Device Manufacturing
The European Commission has taken a decisive step in defining the regulatory future of AI in biopharmaceutical and medical device manufacturing. On July 7, 2025, it released the draft EU GMP Annex 22: Artificial Intelligence—a six-page addition to EudraLex Volume 4 that sets the first comprehensive regulatory expectations for the use of AI in GxP environments.
Annex 22 was drafted by the EMA GMDP Inspectors’ Working Group in cooperation with PIC/S, ensuring alignment across more than 60 global regulatory authorities. The FDA and MHRA participated as observers, reinforcing its intention to serve as a globally harmonized framework—similar to the role 21 CFR Part 11 has played since the late 1990s.
Final publication is expected in 2026, with enforcement beginning in 2027–2028.
Why Annex 22 Matters Globally
Unlike high-level AI act legislation, Annex 22 is highly operational. It tells manufacturers exactly what they must do to deploy AI in GMP-regulated processes. That includes controls, validation requirements, explainability expectations, and model governance.
Given who contributed and observed in its development, Annex 22 is strongly positioned to become the global reference standard for AI in GxP manufacturing.
Three Critical Points Manufacturers Must Understand
1. Two Distinct Rulebooks: Critical vs. Non-Critical AI
Annex 22 draws a sharp boundary between AI used for critical GxP decisions and non-critical support tasks:
Critical AI (impacting patient safety, quality, or data integrity):
- Must use deterministic, static ML models
- Generative AI is prohibited
- Requires strict explainability
- Requires well-defined confidence thresholds and fallback routing
- Demands full lifecycle validation and monitoring
Non-critical AI (drafting, summarization, assistance):
- May use LLMs and generative models
- Human-in-the-loop review is mandatory
- Requires documented procedures, audit trails, and use controls
This is the clearest regulatory boundary we have ever seen for AI in a GMP context.
2. Validation Expectations Exceed Traditional Computerized Systems
Annex 22 raises the bar beyond Annex 11 and 21 CFR Part 11:
Critical AI must demonstrate:
- Independence of test, training, and production data
- Explainability for each decision or prediction
- Defined confidence thresholds with “uncertain” outputs routed to human review
- Continuous monitoring for model drift and degraded performance
- Performance equivalence: the AI must perform at least as well as the validated manual process it replaces
This last point is significant. Most companies cannot currently document the performance of their manual review processes. Annex 22 forces this foundational discipline.
3. Companies Should Begin Preparation Now
Manufacturers have time—but those who start early will gain a competitive advantage.
Foundation Work
- Inventory all current and planned AI use cases
- Classify each as critical or non-critical
- Document baseline performance of manual processes
- Identify gaps in explainability, governance, and data independence
Governance & Infrastructure
- Establish test data management with versioning and audit trails
- Define explainability requirements per use case
- Create SOPs for non-critical AI with human review
- Train QA, validation, and IT on Annex 22 expectations
Execution
- Pilot an Annex 22–compliant validation for one critical use case
- Establish model monitoring and alerting
- Prepare inspection-ready documentation and governance logs
This is the organizational discipline regulators expect to see by 2027.
How Merit Solutions Enables Customers to Comply
As a COTS [commercial off-the-shelf] software provider delivering operational, quality, and compliance solutions on Microsoft Dynamics 365 Finance & Supply Chain and Dynamics 365 Business Central, Merit Solutions plays a critical role in helping regulated manufacturers adopt AI responsibly.
Our commitment is clear: any AI capabilities delivered within Merit applications will be engineered, validated, and documented in alignment with EU GMP Annex 22 requirements. Customers can rely on Merit to deploy AI features that are inspection-ready from day one, with governance and controls embedded directly into the product.
To support Annex 22 compliance, all AI-enabled Merit functionality will incorporate:
- Clear classification of AI use cases (critical vs. non-critical) aligned with Annex 22 definitions
- Deterministic, static ML models for all critical GxP functions—no generative AI in regulated decision paths
- Human-in-the-loop controls for all non-critical generative AI features (drafting, summarization, query assistance)
- Explainability built into all algorithmic outputs, enabling auditors and QA to understand how decisions were made
- Defined confidence thresholds, including routing “uncertain” predictions to human review
- Independence of training, test, and production datasets, with appropriate versioning and lineage tracking
- Audit trails for all AI interactions, including prompts, responses, decisions, and overrides
- Continuous monitoring of model performance and drift, surfaced through operational dashboards
- Validation documentation and evidence consistent with Annex 22 expectations and harmonized with Annex 11 and 21 CFR Part 11 principles
This is our product philosophy: AI designed for regulated industries—built with compliance, governance, and inspection readiness at the core, not added later as an afterthought.
Merit will continue to partner closely with biopharmaceutical and medical device manufacturers, ensuring our platform remains aligned with emerging global AI expectations and enabling customers to innovate with confidence.
Assess Your Annex 22 Readiness
The clock is ticking toward 2027 enforcement. Merit Solutions helps biopharmaceutical and medical device manufacturers deploy ERP solutions that are compliant by design—not retrofitted afterward.
Schedule a strategic consultation to discuss how your Dynamics 365 implementation can support Annex 22 compliance from day one.
EU GMP Annex 22 FAQ
What is EU GMP Annex 22?
EU GMP Annex 22 is the European Union’s proposed guidance for using artificial intelligence (AI) and machine-learning (ML) systems in GMP-regulated pharmaceutical and biotech manufacturing. It sits under EudraLex Volume 4 and outlines how AI models must be validated, monitored, documented, and risk-managed when they impact product quality, patient safety, or data integrity. (Source: European Commission draft Annex 22 consultation document.)
When does Annex 22 become mandatory?
Annex 22 is still in draft form and has not yet been finalized or assigned an official implementation date. The European Commission published it for public consultation, and once the final text is issued, it will include:
- a date of publication, and
- a transition period after which compliance becomes mandatory (typically several months, as seen with other GMP annex updates).
Until the final version is released, Annex 22 is not legally binding, but regulators expect companies to begin preparing because AI/ML governance will soon become a formal GMP requirement.
What’s the difference between critical and non-critical AI?
In short, critical AI can influence quality decisions; non-critical AI cannot.
Critical AI refers to any Artificial Intelligence (AI)/Machine Learning (ML) model whose output can directly affect product quality, patient safety, or GMP-relevant data integrity. Examples include models used in:
- automated visual inspection of sterile products
- in-process control decisions
- release testing or batch disposition support
- process parameter predictions that drive manufacturing actions
Because these systems influence regulated decisions, they must meet the full Annex 22 requirements—including defined intended use, independent test datasets, explainability, drift monitoring, and strict change control.
Non-critical AI covers models that do not impact GMP-critical decisions and carry no direct quality or safety risk. These might include:
- scheduling optimizations
- resource planning
- maintenance forecasting
- non-GMP data analytics or trend reporting
While good practice still applies, these systems do not require the same level of validation or regulatory oversight as critical AI.
Can pharmaceutical manufacturers use generative AI under Annex 22?
Per the current draft, no — not for GMP-critical activities.
The European Commission’s draft of EU GMP Annex 22 explicitly states that generative AI, large language models (LLMs), and continuously learning (“dynamic”) models are not permitted for critical GMP uses. Only static, deterministic models—those that produce the same output for the same input and do not update themselves in production—can be used in GMP-critical processes.
How does Annex 22 differ from Annex 11?
Essentially, Annex 11 governs the system. Annex 22 governs the intelligence inside the system.
Annex 11 covers all computerized systems used in GMP environments—things like LIMS, MES, ERP, automation platforms, and electronic records. It focuses on traditional computer system validation, data integrity, security, and lifecycle controls.
Annex 22, on the other hand, is specifically about AI and machine-learning models. It adds requirements that Annex 11 does not address, including:
- how training data is selected, cleaned, and governed
- the need for independent test datasets to avoid bias
- requirements for explainability and confidence levels
- ongoing model performance monitoring and drift detection
- restrictions on dynamic or continuously learning models in GMP-critical roles